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Editor’s Comments 


Welcome to volume 12, issue 1 of the Journal of Physical Security (JPS). In addition to the 
usual editor’s rants and news about security that appear immediately below, this issue has 
papers about European physical security standards, the use of augmented reality in 
security, and making the business case for security investment. 


All papers are anonymously peer reviewed unless otherwise noted. We are very grateful 
indeed to the reviewers who contribute their time and expertise to advance our under- 
standing of security without receiving recognition or compensation. This is the true sign of 
a professional! 


Past issues of JPS are available at http://jps.rbsekurity.com, and you can also sign up 
there to be notified by email when a new issue becomes available. A cumulative table of 
contents for the years 2004 through 2019 is available at http://rbsekurity.com/|PS 
Archives/grand jps TOC.pdf 


JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS is a small 
company devoted to physical security consulting, vulnerability assessments, and R&D. 


(http://rbsekurity.com) 


As usual, the views expressed in these papers and the editor’s comments are those of the 
author(s) and should not necessarily be ascribed to their home institution(s) or to Right 
Brain Sekurity. 


KK KKK 


Counterfeit 1 

Payless Shoes, a company that sells discount shoes, pulled a joke on fashionistas. The 
company rented a former Armani store in Santa Monica, California, and renamed their fake 
store “Palessi”. They stocked the store with their discount shoes and boots, typically 
costing $20 to $40, but passed the shoes off as high-fashion, and charged $200 to $600 
each. 


The store quickly sold several thousand dollars of shoes before telling the customers, 
who were convinced they were buying high-fashion, that the shoes were made by Payless. 
Payless voluntarily refunded the money to customers. The company is using the prank for 
advertising purposes. Research has repeatedly shown that people judge quality primarily 
by price. 


This kind of fake marketing ploy has been exploited by other companies. For more 
information, see https: //www.cnn.com/2018/11/29/business /payless-fake- 


store/index.html 


KK KKK 
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Counterfeit 2 


The Russians, and Vladimir Putin, have a long history of fakery. At the Putin Youth 
Forum in the city of Yaroslavl, Russia, there was an impressive demonstration of a highly 
advanced Russian robot. It turned out the “robot” was a man hiding inside a costume. See 
https://thenewsrep.com/111524/russias -fake-technology-a-man-in-a-suit-pretending-to- 


be-a-robot-was-just-the-tip-of-the-iceberg/ 


RK KKK 


Counterfeit 3 


If you have your smart phone linked to a bank account, and significant funds in that 
account, you are at serious risk of being the target of “SIM-Swap” fraud. See 


https://www.forexfraud.com for an explanation. 


RK KKK 


Chip Hack 


The suspected Chinese microchip hack—whether it actually happened or not—is a very 
serious security issue. See Ian Bogost’s excellent article in the Atlantic: 
https://www.theatlantic.com/technology/archive/2018/10/political-cost-chinese- 


hardware-hack/572383 / 


KK KKK 


The Black Tom Explosion, 1916 


In 1916, prior to when the United States entered World War I, German agents destroyed 
an American munitions depot in Jersey City, New Jersey. The goal was to prevent the 
munitions from reaching the Allies. The explosion caused $2.2 million of damages (in 
today’s dollars) to the Statue of Liberty, and almost $500 million overall. There were at 
least 4 deaths and hundreds of injuries. For more information, see 
https: //en.wikipedia.org/wiki/Black Tom explosion 


RR KKK 


Anti-Immigrant Sentiments and Bomb Scares, 1919 


Terrorism and fear of immigrants is nothing new. See this excellent article by Ron 
Grossman in the Chicago Tribune: 
https://www.chicagotribune.com/news/opinion/commentary/ct-perspec-flashback- 


bombs-mail-packages-1919-scare-1104-20181101-story.html 
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KK KKK 
Very Oily 


The President of Mexico says that fuel thefts in Mexico exceed $3.5 billion per year. 
i of the thefts are an n inside job but about 41 illegal pipeline taps are found per day. See 


mexico-up-to-3- Sb- -yearly 


RK KKK 


Locked Out 


Popular Mechanics had an excellent article on what to do if you are locked out of your 
car. It also speaks to the low-level physical security offered by automobiles. See 
https://www.popularmechanics.com/cars/car-technology/a25589455/locked-keys-in- 


car/ 


RK KKK 


Happy 1 


Happy employees are good for productivity. They are also good for security, as this 
aeps to minimize the insider threat. This article has tips on encouraging happiness: 


Banpicr: more- pouieesatil html 


KK KKK 


Happy 2 


Reportedly, 20% of Americans find their workplace hostile or threatening. Not good for 
the insider threat. See 
https: //www.usatoday.com/story/money/careers/2017 /08/14/one-fifth-americans-find- 


workplace-hostile-threatening/564252001/ 


KK KKK 


Happy 3 


Airport police in India are being told to stop smiling and look more menacing. See 


https://www.bbc.com/news/world-asia-india-4578431 Fortunately in the US, TSA airport 


screeners already have this trick down cold. 


KK KKK 


lil 
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Why the TSA Airport Screening Isn’t Effective (Even When They Report to Work) 


The cable show “Adam Ruins Everything” took on airport security. See 
https://www.youtube.com/watch?v=-LDzOildyAA 


KK KKK 
Nuclear Keystone Kops 


For recent news stories and reports about the DOE and NNSA continuing incompetence 
in managing the US nuclear infrastructure see (for example): 


this-year/ 


https://www.fitsnews.com/2018/10/13 /end-of-the-road-for-failed-mox-project 


https: //www.gao.gov/assets/700 /696245.pdf 


https://www.pogo.org/investigation /2018/05 /nuke-agency-needs-budget- 


accountability/ 


KKK K 


More Incompetence 


The Equifax recent massive data breach was reportedly due to a failure to install a 
security patch that had been available for two months: 
https: //arstechnica.com/information- 
technology/2017/09/massivehttps: //arstechnica.com/information- 
technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old- 


bug /-equifax-breach-caused-by-failure-to-patch-two-month-old-bu 


RK KKK 


Life Imitating Security Theater 


Alan Axelrod’s book, Profiles in Folly: History’s Worst Decisions and Why They Went 
Wrong, is always a sobering read. It turns out that in life, not just in security, the recipe for 
disaster is arrogance, ignorance, stupidity, over reliance on gut instinct, not doing your 
homework, failure to consult varied viewpoints, absence or ineffectiveness of a devil’s 
advocate, refusal to envision failure and—above all else—not thoroughly identifying your 
vulnerabilities. 


KK KKK 
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Crashing 


For the first time, the (lifetime) odds of an American dying from an opioid overdose now 
exceeds the odds of dying in a car accident: 1 in 96 (1.04%) versus 1 in 103 (0.97%). See 
https://www.cnn.com/2019/01/14/health/opioid-deaths-united-states-surpass-road- 


accidents /index.html 


KK KKK 


No-No-TV 
Check out these amusing photos of CCTV gone crazy: http://snallabolaget.com/security- 
fails-best-cctv-fails-this-week/ 


KKK K 


Security Metrics 

A security guard in Florida was fired after it became apparent he was thoroughly 
documenting his flatulence while on guard duty. See https://news.avclub.com/florida- 
security-guard-documents-farts-online-for-6-mon-1828577912 


-- Roger Johnston 
Oswego, Illinois 
February 2019 
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Delaying Advanced Physical Attacks: 
A Study on the Limitations of EN 1627-1630 


Kenny Frohde, M.Sc., cATO™ 


Abstract 


Physical security standards are used to facilitate a common approach when defining criteria 
for the selection of products for the protection of assets. The selection is achieved through 
establishing guidance specifications and defining minimum testing requirements. When 
such standards are used for the protection of high-value assets, it is important that they 
capture the methods and tools available to potential adversaries. Some of most commonly 
used standards for passive protective elements in Europe include the EN 1627-1630 series, 
which are heavily relied upon when designing passive protection elements for high-value 


assets. 


In this paper, I argue that this suite of standards is too restricted in terms of threat definition, 
as it only includes limited and basic attack tools for testing and certification. By presenting 
a number of case studies, I will show that commercially available tools, that are more 
advanced than those included in the EN 1627-1630 standards, are used by adversaries when 
attacking passive protective elements of high-value assets. This results in shorter delay 
times than what is defined within the standards. As such, I conclude that the limitations 
within EN 1627-1630 must be regarded when designing physical protection systems for the 
protection of high-value assets, by considering the probability of interrupting an adversary 
using advanced attack tools before they achieve their task based on an aggregated analysis 


of such performance measures. 


Keywords 


Physical security, passive protection elements, standards, benchmarking 
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Introduction 


Physical security may be defined as the means for protecting tangible, valuable assets from 
loss or harm, or the use of physical means to protect intangible assets such as data and 
information. Physical security can be achieved through a systematic implementation of 
protective layers, which aims to prevent unauthorized physical access. This systematic 
implementation of protective layers includes devices, systems, barriers, or practices of a 
tangible nature, combined as protective layers. The function of the physical security strategy 
is to provide a range of such layers that maximize the probability of interrupting, and where 
necessary, neutralizing an adversary who seeks to obtain unauthorized physical access to 


protected assets. 


The function of physical security may be achieved through defense in depth. In its most 
traditional form, defense in depth has been applied to the protection of assets for centuries, 
where a succession of barriers has been implemented to delay unauthorized access and 
provide sufficient time for an appropriate response (Smith, 2003). Today, defense in depth 
may be viewed as a systems approach that integrates people, procedures, equipment and 
construction components into a system of combined protective elements that seek to detect, 


delay, and respond against intrusions (Garcia, 2007). 


In a defense in depth strategy, detection must occur in order to be aware of an initiated or 
on-going attack. Subsequent to detecting an adversary, delay mechanisms should slow down 
an adversary’s progress in order to provide sufficient time for a response force to interrupt 
or neutralize the adversary (Garcia, 2007). This relationship between the functions of 
physical security can be explained as dynamic, where the estimated response time required 
for interrupting or neutralizing an adversary after detection has occurred will heavily 
influence the cumulative need for passive protection elements and their respective delay 


times. 
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Passive protective elements and delay time 


Passive protective elements may be described as functions that aim to impede an adversary’s 
progress through providing resistance to tools or applied physical strength. The concept of 
delaying an adversary through the use of passive protective elements is defined in 
professional security literature as delay time (Mach & Boro$§, 2017). Delay time is a variable 
that depends on the properties of the delay function as well as the adversary’s skills and 


attack tools used. Delay time is calculated according to the following formula: 


Delay time = T2 - T1 


where T1 represents the initial time of the attack, and T2 is the time when the protective 
element has been penetrated, spoofed, defeated, or bypassed by the adversary (Mach & 
Boro$S, 2017). 


The significance of standards 


The European Commission (2018) defines standards as technical specifications delineating 
requirements for products, production processes, services, or test-methods. This may be 
thought of as benchmarking (European Commission, 2018). The underlying theory of 
benchmarking relies on measuring performance through supplying consistent values to 
which activities may be measured in order to ensure a minimum level of efficacy 


(Stapenhurst, 2009). 


According to Draper (2012, p. 284), standards and guidelines aim to provide concept 
communality through specifying an “approach to a specific subject area” as well as 
supporting concept implementation. Blades (2011) points out that alignment of concept 
comprehension helps encourage professional discussions, and facilitates a common 
understanding. Accordingly, standards play a crucial role for the development of a common 
language and acommon approach within specific subject areas (Coole, Corkill & Woodward, 
2012). Without a common language or common approach, it is apparent that there will exist 
many different views on how, for instance, implementation and evaluation should be carried 


out within a specific subject area (Frohde & Brooks, 2014). 
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Within the physical security domain, Fennelly’s works (2012, p. 174) defined a standard as 
“a document published by a recognized body for the purpose of specifying requirements 
and/or an approach to a specific subject area”. Smith and Brooks (2012, p. 248) also 
considered standards within the security context, explaining that the purpose of security 
standards is to “produce the criteria within which the security technology or security service 
can be tested or evaluated”. Such articulations acknowledge that, in the protection of assets, 
passive protective elements of physical security are formally tested and evaluated against 
standard benchmarking, where tests are carried out in order to determine a product’s 
minimum delay time against a defined threat, and results are published for general 


application (Garcia, 2007). 


Security doors according to the EN 1627 and EN 1630 standards 


Accepting the use of formal benchmarking of physical security, EN 1627 and EN 1630 are 
European standards that include specifications for the requirements and classification 
systems for security doors (European standards, 2011). The EN 1627 standard includes six 
different resistance classes for security doors, resistance class RC1 to RC6, where RC2 offers 
the least delay time, and RC6 represents benchmarking of products with the highest delay 
time as defined within the standard. See table 1. Moreover, EN 1630 includes the test 
method for the determination of resistance to manual burglary attempts, and includes 


toolsets against which each resistance class is tested (European standards, 2011). 


Table 1: Delay times for each resistance class (European standards, 2011, p. 11) 


Resistance class | Delay time (minutes) 
1 
2 3 
3 5 
4 10 
5 15 
6 20 


There are a number of governmental guidelines on physical security that rely on EN 1627- 
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1630 when defining the requirements for passive protective elements. For instance, the 
authority responsible for Sweden's transmission system for electricity requires that facilities 
which are of crucial national significance use security doors that comply with RC3 according 
to EN 1627 (Svenska Kraftnat, 2013). In addition, the Swedish civil contingencies agency 
provides such guidance that security doors graded RC4 should be used when designing data 
centers of high-value (Myndigheten for Samhallsskydd och beredskap, 2014). EN 1627 is 
also the referenced document by the Swedish SSF 200 standard, where the highest level of 
physical protection as defined within the standard (protection level three) requires security 


doors graded at RC4 according to EN 1627 (Stdldskyddsfoéreningen, 2015). 


A closer look at RC4 security doors 


There are many different manufactures of security doors graded RC4; they are, however, all 
certified and tested according to the EN 1627 and EN 1630 standards. A security door 
graded RC4 typically consists of a frame of hollow steel profiles that are covered with two 
sheets of one-millimeter thick steel. Mineral wool insulation is not uncommon. 
Furthermore, the lock is mounted to the frame and may be supplemented by hooks above 
and below. A security door graded RC4 will also typically contain hardened pins for latching 


on to the doorframe as well as reinforced hinges (Linge, 2016). 


According to the EN 1627 and EN 1630 standards, security doors graded RC4 should provide 
10 minutes delay time against manual attacks. For each test in an area of attack, only one 
test team member is permitted (European Standards, 2011). According to EN 1627 the 
anticipated method and attempts to gaining entry for RC4 doors includes a practiced burglar 
who uses a heavy hammer, axe, chisels, and a portable battery powered drill. The heavy 
hammer, axe, and drill give the burglar an increased number of attack methods. The burglar 
anticipates a reasonable reward, is likely to be resolute, less concerned with the level of noise 
produced, and prepared to take a greater risk (European Standards, 2011). The delay time 
is determined by testing security doors graded RC4 against attack tools, as specified in table 


2. 
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Table 2: Attack tools for testing security doors graded RC41 


Quantity Description 


1 Screwdriver; Flat blade, length (365 + 25) mm, blade width (16 + 2,2) 


mm 


Crowbar; length (700 + 20) mm 


Locksmiths hammer; head weight (200 + 20) g, length (300 + 20) mm 


Set of pin punches; diameters between 3 mm and 10 mm 


Hand drill; maximum length 355 mm 


Set of drill-bits; HSS or HS/CO parallel shank twist drills (jobber), @ 1,0 
mm to @ 6 mm in steps of 0,5 mm. Only one drill bit of each diameter 
may be used. 

Club hammer; length (300 + 25) mm, head weight (1,25 + 0,1) kg 


Cold chisel; length (250 + 25) mm, blade width (30 + 5) mm 
Wood chisel; length (350 + 25) mm, blade width (30 + 5) mm 


eee 


Axe; length (350 + 25) mm, head weight (800 + 30) g 


Bolt-cutter; length (460 + 50) mm 


1 
1 
1 
2 Plate shears; left cutting and right cutting, length (260 + 25) mm 
1 
1 
1 


1 Cordless drilling machine; without percussion action, with two 
nominal 14.4 V battery packs (up to 3,2 Ah each) 

1 Set of drill-bits; HSS or HS/CO parallel shank twist drills (jobber), @ 1,0 
mm to @ 13 mm in steps of 0,5 mm. Only one drill bit of each diameter 
may be used. 


Case studies 


A case study analysis can be used to assess the efficacy of these standards. In this paper, a 
case study analysis represents two high-value assets targeted by adversaries who used 
advanced attack tools, beyond the current standards; as a result, these cases are informative 
in evaluating the current standards. For these cases, security doors graded RC4 could be 


part of a physical protection system’s passive protective elements. 


The Helicopter robbery, Vastberga, Sweden 2009 


During the early morning on September 23, 2009, a stolen helicopter was landed on a cash 


depot in Vastberga, south of Stockholm. Descending using a ladder and entering through a 


' The toolsets for RC1 and RC2, which also are used when testing RC4, have not been included 
in Table 1. 
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window in the roof of the depot, three adversaries proceed to attack a number of security 
doors leading to a cash storage space. Approximately $5 million was stolen during this 


robbery. See figure 1. 


A Swedish National Police Board (2009) investigation found that a petrol driven power 
cutter was used to penetrate some of the passive protective elements (figure 2). The power 
cutter used diamond cutting blades with a diameter of 300 mm. Further investigations note 
that such tools are widely commercially available, and are easy to obtain, yet not considered 


in security door standards. 


Figure 1: Cash storage space robbery 
(Swedish National Police Board, 2009). 


Figure 2: The petrol driven power cutter used in the helicopter robbery 
(Swedish National Police Board, 2009). 
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The Hatton Garden heist, London, United Kingdom, 2015 


During the weekend of 3-5 April in 2015, four men descended into a safe deposit vault by 
attacking a number of passive protective elements impeding unauthorized entry. These 
adversaries opened seventy-three secure boxes taking valuables that were worth 


approximately £200 million (Lashmar & Hobbs, 2018). 


A post investigation of the robbery found that power tools including an angle grinder, as well 
as a heavy-duty drill were used in the heist. The drill was later identified as a Hilti DD350, 
which was used to drill holes in a two-meter thick re-enforced concrete wall to facilitate 
entry into the vault (Peachy, 2016). See figure 3. Again, such tools are commercially 
available, and are easy to obtain. Although the delay time required for breaking into the 
Hatton Garden vault was significant, this case similarly illustrates that commercially 
available tools, more advanced than those included in the EN 1627-1630 standards, are 


being used for attacking passive protective elements of physical security. 


Figure 3: The heavy-duty drill used in the Hatton garden heist (Peachy, 2016). 
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The discrepancy between standards and contemporary commercially available tools 


When protecting high-value assets, it is important that the physical protection system is 
designed in ways that consider the contemporary tools a potential adversary may use, as 
well as their availability. Correspondingly, there is a clear correlation between the attack 
tools used by an adversary, their expertise in using such tools, and the speed of attack (Chille, 
Mund & Moller, 2018). For instance, an experienced firefighter may be able to breach a 
security door graded RC3 in less than one minute, even when using rudimentary attack tools 
(Linge, 2016). Typically, the more advanced the attack tools and adversary’s experience, the 
faster the breach will occur. This relationship is illustrated in figure 4, where the delay time 


required by the passive protective element is in direct correlation with the attack tools used. 


Advanced 


Moderate 


Attack tools used 


Delay time required 


Figure 4: The relationship between the attack tools used and the delay time required. 


Based on the attack tool sets included in EN 1630 for grading security doors in different 
resistance classes, it may be argued that they do not represent a collection of contemporary 
and advanced attack tools. For instance, the most advanced attack tool included in EN 1627- 
1630 (European standards, 2011) is an electric drill (Nominal 1050 W + 10 %, with 
percussion action) and an angle grinder (Nominal 2300 W + 10 %, disc diameter max 230 


mm). 
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It is clear that, if applying EN 1627-1630 to the above cases, then the expected delay time 
would be less than what the standards imply. This limitation is particularly obvious when 
considering the attack tools used to certify any test security doors under RC4, where the 
most advanced attack tools used for testing RC3 and below are a crowbar and a manual hand 


drill (European standards, 2011). See figure 5. 


ain 
4 


3.3 3.1 


Figure 5: A manual hand drill (3.5) and crowbar (3.2) used as attack tools 
when testing and certifying security doors graded RC3. 


As a result, even security doors graded RC6 would not provide the delay time that the 
standards specify when advanced attack tools are used, such as those used in the above case 
studies. As pointed out by Armstrong (2005), the typical threat to domestic or commercial 
premises does not always align with the threat against high-value assets, particularly those 
related to high-value government assets and critical infrastructure. Hence, although SS EN 
1627-1630 have their place when designing physical protection systems for high-value 


assets, it is vital to understand the limitations of the standards, considering that actual delay 


10 


Journal of Physical Security 12(1), 1-14 (2019) 


times may be shorter than as specified within those documents. 


In order to identify actual delay times, it is important that the threats to protected assets are 
assessed, defined, and aligned against current and planned passive protective elements 
within the physical security system. This applies especially to high-value government assets 
and critical infrastructure, considering the advanced threat such assets may face 
(Armstrong, 2005). Based on the assessed threat, evaluations of existing and potential 
mechanisms of delay within the physical protection system should be carried out to better 
identify any misalignment (Beard & Brooks, 2010). Where possible, both laboratory and 
vulnerability testing should to be applied, as they are complimentary (Beard & Brooks, 
2010). 


In the cases of misalignment against the assessed threat, or insufficient possibilities for 
increasing delay time, focus should instead be on achieving timely detection and rapid 
response times in combination in order to compensate for those insufficiencies. Also, when 
possible, passive protective elements for the protection of high-value assets should be 
selected based on individual testing as opposed to compliance with a restrictively defined 


standard. 


Suggestions for future work 


As emphasized in this paper, there is a need for the SS EN 1627-1630 to be revised, providing 
a broader framework for analysis where specific barrier elements can be consistently tested 
accordant with the scientific method. Furthermore, in addition to the scope of current 
standards, new standards specifically designed for high-value government assets and critical 
infrastructure could facilitate a common approach for certifying passive protective elements 


used for the protection of such assets. 


Conclusion 


In this paper, I have argued that the SS EN 1627-1630 standards consider limited and 


insufficient attack tools when testing passive protective elements. As illustrated by the cases 


11 


Journal of Physical Security 12(1), 1-14 (2019) 


I have presented in this paper, adversaries with contemporary and advanced attack tools, 
such as heavy drills and power cutters, will defeat passive protective elements in a shorter 
delay time than the delay times specified by the SS EN 1627-1630 standards. Hence, security 
for high-value assets needs to factor in the limitations of the SS EN 1627-1630 standards 
when designing physical protection systems that are to stand up to adversaries using 


contemporary and advanced attack tools. 


I further propose that the SS EN 1627-1630 standards should be revised to include more 
advanced attack tools and thus more realistic delay times. In order to facilitate a common 
approach for certifying passive protective elements used for the protection of government 
high-value assets and critical infrastructure, I believe international standards specifically for 


such assets may be prudent. 
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Abstract 

Augmented reality, or AR, is where a live or direct view of the physical world as a person 
views it is augmented (or supplemented) with computer-generated sensory input such as 
sound, video, graphics, or GPS data. Today, AR has limited use in capacities ranging from 
projected GPS data in automobiles to various military applications in advanced jet fighters. 
This technology, however, is beginning to spread into popular, everyday use through video 
gaming as well as archaeology, architecture, visual art, and consumer shopping. Due to 
AR’s ability to provide instant access to critical information and real-time equipment 
control capabilities, the technology is beginning to find a variety uses in mainstream 
business applications. One area in particular where AR can impact business applications is 


in the realm of physical security. 


Areas where AR Integration Can Have a Positive Security Impact 

AR is still at least 3 to 5 years away from widespread application to security. However, 
security industry experts should not wait until then to begin planning how to leverage 
existing infrastructure to integrate it into their programs. The technology promises to offer 
at least four main benefits that will assist and transform how physical security is conducted 


in the future: 


e Access information and project anywhere - Instead of being tied to a computer 


monitor, tablet or loads of paper plans, drawings, and diagrams, a wearer will be able 
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to walk around and project information and images onto any surface. In addition, 
instead of having to go to an office or log into a computer network in the middle of the 
night, a security supervisor will be able to put on the headset and instantly project 
images or pictures onto the local surroundings to gain an improved situational 
awareness. For instances, wearers will be able to project images of access control or 
video camera diagrams, cable network or video footage over any door or window ina 


facility for assessment purposes. 


X-ray vision and gaze tracking - Security personnel will be able to instantly “see” 
network cables, pipes, and security equipment normally embedded in walls, floors, or 
ceilings by accessing previously made videos. Vision through walls can be achieved 
by accessing real-time feeds from other cameras inside another adjoining room, thus 


allowing the wearer to “see” what is on the other side of the wall. 


Precise GPS-like indoor positioning - AR will automatically notify a dispatcher or 
command center of the location of the wearer. Not only will this provide accurate 
SITREP detail, but will also aid in reducing radio chatter normally required to inform 
of a security officer or team’s location. It will allow directions to be received via the 
wearer's headset from the command center, enabling more accurate dispatch and 
assessment of alarms and direction of responders to intervene and disrupt a threat 
along the adversary path prior to reaching the critical point. This is also important 
during incident response where a chaotic situation can be viewed remotely and 
decisions affecting response can be made rapidly and effectively with an increased 
amount of certainty as video, 3D mapping, and other data will be instantly and readily 


available. 


Capture of 3D photos and video - Video captured from the wearer’s headset can 
instantly be transmitted to both the command center as well as to other members of a 
security or response team. This also aids in dispatch, assessment, and incident 
response, as real time data will be actioned almost instantly, allowing the time 
required for decision-making, plan changes, or response resource allocation to be 


rapidly reduced. This also improves situational awareness for security personnel 
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because video captured during foot or vehicle patrols can instantly be assessed at a 
command post and suspicious environments can be investigated, and support to the 
patrol can be dispatched quickly and efficiently to meet the level of a potential threat. 
Further, as the wearer moves around a location, AR will permit the development 
and/or update of 3D maps of the local environment, further aiding situational 
awareness and reducing reaction time by responders. It is quite likely that 3D 
analytics will eventually become a camera feature for static VSS systems that will be 
directly and geographically linked directly to security personnel. As facial recognition 
software continues to improve and evolve into a more accurate tool in the future, the 
importance of this 3D feature on wearable technology will exponentially increase. 
Security auditors can create a 3D layout diagram of an existing security system 
without the need for interpreting riser diagrams or elevation drawings and store it 
for future vulnerability assessment and countermeasure design and implementation 


and overall risk management. 


Many mainstream business and industrial firms have already taken up the standard of 


integrating AR into their operations management functions. Taking that experience into 


account, I want to highlight some of the benefits and challenges facing Chief Security 


Officers (CSOs) and other physical security experts. I further want to highlight future 


concerns that must be considered when attempting to implement AR into any physical 


security program or daily operations. While some of these factors overlap, they are 


considered separately here in order to highlight the specific point(s) I am trying to make. 


Benefits of Integrating AR into Physical Security Programs 


AR can maximize customer understanding and improve overall satisfaction with security 


operations. Security is often viewed as a “necessary evil”, and outside observers are 


quickly turned off by the complexities of security equipment, processes, and outputs. AR 


can visibly display information in a manner that is easy for decision-makers and clients to 


understand. Ifa picture truly is worth a thousand words, then AR data displays can explain 


recommendations and program specifics in a manner that helps bridge the understanding 


gap between security practitioners and their clients or key corporate decision-makers. 
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This allows the security practitioner to properly set expectations, educate key internal and 
external stakeholders, and facilitate more meaningful dialogue on security-related issues. 
AR can be used to decrease time to issue an incident response. This can be accomplished 
through improved control of personnel deployed in response to an alarm or incident, 
which, in turn, allows for faster assessment of real-world situation at the incident site. This 
can also result in the more rapid assessment of alarms as being either False or Nuisance 
Alarms, and allow decision-makers in a security command center to more rapidly and 


effectively dispatch security personnel to respond to an alarm or incident. 


The safety of responding security personnel can be enhanced through real-time GPS 
tracking of personnel location, allowing remote viewers to have digitally-enhanced maps 
showing the location of personnel. Safety is also enhanced through reducing the amount of 
danger to which response personnel are exposed. This is possible because AR can provide 
the ability to “see through” walls to view enclosed areas containing video surveillance 


equipment from outside. 


Security practitioners can use AR to minimize security countermeasure equipment 
downtime by displaying faulty equipment on a system map and allowing the subject matter 
experts to see able connections, conduits, and other interconnection devices as part of the 
troubleshooting process. Subject matter experts can then direct field personnel in any 
repair protocols, or provide more timely data on potential faults to companies with whom 
the security manager has developed master service agreements for maintenance activities. 
This reduces overall program cost, which is a benefit when it comes to budget planning 


discussions. 


Integrating AR into security procedures can reduce security team travel costs. The number 
of assessors needed to conduct a security audit of a site, or the requirement to havea 
subject matter expert on-hand at a remote location whenever equipment fails can be 
reduced. This can lead to a noticeable decrease in air or rail ticket purchases, hotel stays, 
rental cars, and other associated travel costs, adding a measurable return on investment 


that can be used to make the business case for AR program expenditures. 
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Security programs that integrate AR can also reap positive rewards through scaling of 
expertise needed at specific, remote locations. Subject Matter Experts can provide live 
guidance to field personnel, who are instantly connected from any location using a mobile 
device. Likewise, deployed subject matter experts can provide recommended security 
guidance, recommendations, and solutions in real time to key decision-makers allowing for 
more complete and effective collaboration. Field personnel can be guided in performing 
best practices and rapidly improve their skills, allowing them to do more with less formal, 
in-house training needed. This allows a security company or client to more efficiently 
leverage resources and digitally track completed work. It enhances the security team 
productivity through a reduction in downtime associated with team member training 


requirements. 


Challenges that will Inevitably be Encountered 

First editions of these devices (such as Vuzix M100/300, Microsoft Hololens, and Google 
Tango) are currently being fielded after extensive testing. However, these AR devices are 
not without their limitations. Current battery life for the devices is quite limited (usually 2 
to 3 hours of constant use or less than a day in standby mode). This makes it difficult to 
conduct thorough assessments of patrol areas or assess large facilities such as warehouses 
or expansive sites, including factories or college campuses. It also has a negative impact on 
incident responders who often have to remain in the field at remote locations for extended 
periods, such as plane crash sites or train derailments. Further, these devices have a 
limited field of view and range for 3D mapping. Wearers will have to conduct numerous 
mapping assessments in order to completely cover very large facilities and to keep maps 


current. 


In addition, the current devices are heavy and bulky, which can be severely limiting in 
confined spaces or areas where hardhats are needed. AR control platforms cannot 
currently support other users accessing the devices simultaneously within the same space 
(i.e., within the same room). These devices can only be used indoors due to the limitations 
on the lasers they rely on. Moreover, the current generation of software is quite limited 


and must be further refined/optimized. The pace of this optimization will initially be slow 
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as firms only now enter the AR/VR field with little or no experience. Thus, costs will 
remain high until the level of user demand becomes sufficient to force software upgrades 


and drive down prices. 


Perhaps the most important limitation from a security perspective is the network interface 
needed to operate the device to its full potential. Securing the network against 

unauthorized use and capture of the data will also be a challenge as these devices progress 
toward full utilization in the physical security realm. These limitations, however, will only 


serve to slow, not stop, the utilization of AR in various aspects of physical security. 


The lack of practical, commercially-available AR hardware is perhaps the largest challenge 
facing security practitioners in integrating AR into their security program. Headsets and 
other equipment are not generally available at a cost-effective level for security 
professionals. Given that most security programs within a company are woefully 
underfunded, or clients that want deliverables on a shoestring budget, AR prices need to 
drop considerably before more wide-spread acceptance and use of AR in security 


operations can be realized. 


Once hardware is acquired, the next challenge to be overcome is the development of 
appropriate content. Without the proper content, it is difficult to get end-users to adopt the 
technology. Ensuring the proper content is aligned with security countermeasures, asset 
locations, etc. is a daunting task and—without the proper coordination—insufficient or ill- 
conceived content is a show-stopper. Developing proper content is a time-consuming and 
costly process that must be endured to ensure the successful AR integration into security 


program. 


Education of users is another huge hurdle. Most security practitioners, let alone key 
decision-makers and clients, may not be sufficiently tech-savvy or have regular exposure to 
AR. This leaves key stakeholders virtually blind to AR’s wide-reaching applications and 


benefits. This can be overcome through setting proper expectations and education in the 
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use of and the value AR brings to physical security. However, this takes time and a lot of 


effort on the part of the security practitioner. 


Cost is always a return on investment driver for any profitable organization. Determining 
whether AR adds value to the organization can be a major limiting factor due to the front- 
end costs involved. Applications can run upwards of $30,000, while hardware, user 
licenses, and other elements can add an additional $3,000 per user to the total program 
cost. This challenge will eventually be overcome once the price of AR components drops to 


an affordable level for every day physical security end users. 


Another challenge is that AR needs to become much more mobile. Transmission and 
display equipment will need to cut-the-cord and become mobile and transportable to 
engage a wider security audience. Most AR tech is currently limited by hardware requiring 
large numbers of power and data cords. Most AR-based service providers attempt to “cut 
the cord” by placing the equipment onto the user, either in the form of a backpack or some 
wearable technology. If the former technique is used, it often creates a heavy burden for 
the user and limiting battery life. If the latter, it limits the functionality of the app or device, 


thus reducing overall app or equipment effectiveness. 


AR requires faster communication speeds to realize its full potential. Users with 4G 
connectivity still experience clunky transmission of data using AR apps or devices. This is 
especially true when transmitting data from a remote location to a central viewing station, 
such as a security operations center. Work is underway by service providers for 
development of 5G technology and while advances have been made, there is still a long way 


to go. Thus, users will continue to experience these issues for the foreseeable future. 


Future Considerations for AR Integration 

As the use of AR expands, so will the need to protect against cybersecurity threats so that 
critical security provider or client networks are protected. The use of shared equipment 
may allow one individual to view the program on which another security practitioner is 


working, this is important when one security person may not be “cleared” to view classified 
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or sensitive information related to a coworker’s project. Security protocols assume a 
paramount importance should AR equipment be lost or stolen. Therefore, there is an 
increased requirement for enhanced cybersecurity protocols enacted that supplement the 
rudimentary firewalls and other “accepted” cybersecurity protection measures. Such 
measures can include some or all of the following: biometric tracking to authenticate the 
user (retina scanning, fingerprint, etc.), system time-out or screen locking after a set period 
of inactivity (as validated through eye tracking or other measures), or voice activated 


security protocols. 


Legal challenges due to privacy and safety issues are, in my opinion, the second most 
important issue that must be considered. At present, there is no clear format on how to 
integrate AR into security. Likewise, there are few current legal hurdles that must be 
overcome to enable a firm to use it. As the use of AR in security becomes more widespread, 
it is quite likely that legal aspects will also grow, to include regulation by governments at all 
levels on the content, use and distribution of AR data, how it is used, protected and stored, 
and other heretofore unforeseen issues. These issues will have to be worked through, 
often at high cost, which is a serious issue for security companies, particularly those with 


thin profit margins. 


Another potential threat is the lack of vision leading to corporate rejection, as briefly 
discussed in Challenge #3 (above). While the current trend is to use AR for gaming, and to 
a limited degree it is used as a wayfinding application for shopping purposes, there is a 
clear lack of vision and foresight into how AR can be integrated seamlessly and completely 
into security programs. This lack of vision lends credence to the idea that security 
programs chronically strapped for cash may never be approved for funding by key 


decision-makers within the company’s finance and procurement approval chain. 


Poor user experience due to overhype, and underperformance are continuing obstacles to 
the integration and use of AR in security programs. AR always has a well-advertised lead- 
in, but when the rubber-meets-the-road, current performance is almost universally 


underwhelming. In a field such as security, where there is nothing clearly sexy about the 
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nature of the work being performed, an underwhelming experience often leads to 
disinterest and, therefore, disuse. Thus, AR would be relegated to the “great concept, but 
poor execution” trash bin. The key to overcome this obstacle is to properly set 
expectations and ensure that as AR technologies advance, user expectations must be 
adjusted accordingly. This requires constant diligence on the part of the security 
practitioner, but as rapid advances are made in technology and use, this role should 


become more self-evident to the user and key stakeholders. 


Limited equipment functionality continues to plague AR equipment and is an issue that 
could become more prevalent in building a case against the use of AR in security programs 
and operations. Issues such as field of view, ability of the computer programming to have 
sufficient focal length to prevent pixelization, and battery life (among a multitude of other 
functionality-related issues) continue to limit the scope and scale of how security 
practitioners can use AR technology. This can be overcome through improved capabilities 
to miniaturize components and equipment, though not completely. Inextricably linked to 
equipment functionality are miniaturization-related issues that limit the availability and 
use of AR equipment. While the continuing trend is to reduce the size of components to 
allow users to “wear” their AR equipment, the demand to do so always outpaces the ability 
of equipment providers to create it in the short period of time demanded by consumers. 
Currently, numerous established tech companies are engaged in a “tech arms race” to solve 
these problems—which have positive spillover uses for other goods those companies 


provide—and do so in a quick and cost-effective manner. 


The final, and often overlooked, threat facing AR integration into security programs is 
digital fatigue. The overuse of computers, smartphones, and other technology devices that 
are all-pervasive in society today could likely lead to a predisposed mindset on the part of 
security practitioners and clients to “unplug” themselves from all digital equipment, 
including AR. This would lead to a waning interest in and a decline in the use of AR 
equipment. The upside of this is that AR allows the user to work with digital augmentation 
but remain in the real world. Overcoming this obstacle seem easy now but may be the 


most difficult as technology continues to take over every facet of our daily lives. 
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Conclusion 

There are a number of positive and negative factors that must be thoroughly war-gamed to 
determine whether integrating AR into a physical security program is worthwhile. Factors 
such as cost of integration, education of key internal and external stakeholders, and future 
legal aspects must be carefully weighed against the benefits AR promises before a final 
decision is made. Only by understanding these key concepts (and others not discussed 
here) and working through the issues in advance, can the potential benefits of integrating 


AR into a security program become a reality. 
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Viewpoint Paper 


Making the Business Case for Security Investment* 


Roger G. Johnston, Ph.D., CPP 
Right Brain Security 


Traditionally, the case for spending more money on additional security resources is made 
by security managers with a Return on Investment (ROI) argument, or by using closely 
related Net Present Value (NPR) or Internal Rate of Return (IRR) methods.[1-7] In overly 
simplified terms, these economic methods involve estimating the probability of a given 
successful security attack. This is multiplied by the estimated cost of the consequences if 
the attack should succeed. The total security expenditures over the time period in question 
for purposes of countering that attack should equal this product. 


The main problem with these economic approaches is that they often don’t work. In 
many organizations, the senior manger(s) or executive(s) who make the ultimate approvals 
for security funding may be clueless about security and technology. They may be living and 
breathing examples of the Peter Principle [8]: the skills that get a senior manager or 
executive into their position may be unrelated to the skills needed to do a good job once 
there. Even more dangerous is the common situation where senior people in the 
organization can’t or won't envision security failures, so they are rarely going to buy the 
economic arguments for dealing with “theoretical” security risks. 


When senior executives do envision failure, they often decide the risk of a bad security 
incident occurring during their short tenure is low; better to save the money and look 
more profitable now, letting the security failure occur on somebody else’s watch. Besides, 
scapegoats can always be found if their luck runs out and security does fail during their 
time in office. Moreover, in our court system, it is often better to be able to plead 
ignorance, rather than instituting some security measure that isn’t 100% effective; 
installing a security measure is a tacit admission that the organization knew there were 
security risks, and juries don’t like that. 


ROI and related methods also suffer from the problem that estimating the probability of a 
successful attack is difficult, especially since vulnerabilities are often poorly understood 
due to a lack of adequate vulnerability assessments [9-12]. Moreover, the estimated total 
costs of a security incident are often underestimated; long-term damage to the 
organization’s reputation and good will is often not factored in, or only partially factored in. 


* This paper was not peer reviewed. 
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The fact that ROI-type approaches alone often don’t work very well is, I believe, fairly 
well recognized by security professionals. Nowadays, many security managers and 
CSOs/CISOs use a hybrid approach: A little ROI/NPV/IRR, a little invoking regulations and 
standards, some discussion of the threats, and a little (timid) warning of consequences 
(including Public Relations and market-share damage) of bad security incidents. 


In my view, an ideal hybrid approach should involve the following steps: 


(1) Invoke “best security” practices, which rarely are captured by standards and 
regulations. Best practices are what a first-class organization strives for. 


(2) Enlist the legal department to help explain why meeting regulations and standards, but 
falling short of best practices, puts the organization at enormous legal, governmental, and 
Public Relations risk when (not if!) a serious security incident occurs. 


(3) Discuss what your competitors or similar organizations do for security. 


(4) Paint a very vivid picture of what multiple bad security failures look like for your 
organization. 


(5) Scare high-level executives with stories of the short- and long-term consequences of 
security failures in other organizations AND THE PERSONAL HARM THAT CAME TO THEIR 
EXECUTIVES AND SENIOR MANAGERS. 


(6) Bring in outside vulnerability assessors to help point out security problems and help 
with (4) and (5). 


(7) Bring in outside threat assessment experts to highlight the threats and to help with (4) 
and (5). 


(8) Finish up with a ROI/NPV/IRR argument based on (realistic) scare tactics, and with a 
SIMPLE explanation of why the new security measures can (at least partially) counter the 
organization’s security threats and weaknesses. But be sure to pitch multiple options, not 
just one. What is my best option?” for security investment is a much better question that 
“Should I do this thing?” and biases the decision-making process towards making some 
kind of security investment. According to research by Paul Nutt, organizations that 
consider options have more success than those that vote a proposal up or down.[ 13] 


Some comments on this 8-step approach. 


e This 8-step approach can be even more effective for government organizations than 
businesses, because government bureaucrats are especially easy to scare. 


e Economic methods alone rarely work for government organizations, because (as I know 
from personal experience) saving money is not a priority, and people who propose cost- 
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saving measures are viewed with enormous suspicion by bureaucrats who don’t want to 
lose financial turf. 


¢ “Best Practice” is rarely rigorously defined, but security professionals often have a 
surprising degree of agreement on what constitutes best practice in any given 
environment. Moreover, the courts usually have had little trouble identifying what is best 
practice for purposes of civil litigation, based mostly on expert witnesses. 


e In presenting a request for security investment, it is essential to understand the 
audience, their hot button issues, their risk appetite, and their terminology. 


e If requesting spending on technology, the security manager must shun mere techno-envy, 
i.e., wanting only to be able to play with the latest overhyped, fad technology. Technology 
can be a useful tool for security but it rarely solves any given security problem, much less 
guarantees good security overall. 


e Most security managers are afraid to do (2), (4), (5), and (6) and rarely do them because 
of fear, sustainability concerns, the shoot-the-messenger problem[7, 14] and the cry-wolf 
problem [7, 15]. When they do ROI/NPR/IRR, it is rarely based on scare tactics. Security 
managers, including CSOs/CISOs almost always avoid scare tactics—foolishly, I believe. 
Scare tactics work! And they can be made sustainable with careful management, explaining 
how past security attacks may have been averted or mitigated with the security currently 
in place, and emphasizing that the threats, vulnerabilities, and the technologies available to 
adversaries are constantly evolving. Moreover, security managers need to keep in mind 
why they were hired: to tell upper management what they need to know, not to make them 
feel warm and comfortable. Good security and comfort are not compatible. 


¢ In an attempt to limit career damage, security managers should be frank: “Look I know 
you senior executives are not going to be happy to hear what I have to tell you, and this 
isn’t necessarily what is best for my career, but I was hired to help protect this 
organization, and | have a professional and moral obligation to speak frankly about what I 
believe needs to be done.” Ultimately, there is nothing unhealthy about a security manager 
being more security-focused than her corporate line management. 


In summary, it is time to move beyond mere ROI/NPR/IRR methods, and time to stop 


being scared of “scare tactics” when there is plenty to be scared about. 
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